5 May, 2026

Typosquatting Recovery: Kimley-Horn Wins UDRP Over Domain Used in BEC Attack

UDRP Cases

Kimley-Horn and Associates, Inc. successfully secured the transfer of the typosquatted domain kimlery-horn.com from respondent Jon Baxter. The disputed domain was registered in October 2025 and configured with MX servers to execute an attempted business email compromise (BEC) attack against one of the Complainant’s clients. WIPO Panelist Nels T. Lippert ordered the immediate transfer of the domain to prevent further fraudulent activities.

Case Snapshot

Case Number D2025-5346
Complainant Kimley-Horn and Associates, Inc.
Respondent Jon Baxter, kimlery-horn llc
Disputed Domain
kimlery-horn.com
Threat Tactic Typo Domains
Decision Date 2026-02-18
Panelist Nels T. Lippert
OutcomeTransfer
Official Source https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2025-5346

Deceptive Corporate Impersonation and High-Risk Business Email Compromise Threat

The deployment of the typosquatted domain kimlery-horn.com—which substitutes the keyboard-adjacent sequence "ery" for "ey" in the Complainant’s KIMLEY-HORN trademark—creates immediate operational and commercial risks through targeted communication interception. By configuring active MX (mail exchange) records on the disputed domain, the Respondent established a functional communication infrastructure designed to masquerade as legitimate corporate employees. This setup allowed the threat actor to intercept emails and execute deceptive interactions, utilizing the subtle visual similarities of the domain to bypass standard digital security filters and basic human scrutiny.

The primary commercial impact of this specific technical configuration is its utilization in corporate impersonation and Business Email Compromise (BEC) attacks targeting the Complainant’s active clients. When third-party partners or clients receive messages from an address that closely mimics a trusted engineering and planning consulting firm, the potential for unauthorized financial transfers or the leakage of proprietary project communications increases. Because the exact financial parameters and the specific identity of the targeted client remain confidential, the structural risk is highly pronounced for any enterprise whose external stakeholders rely on digital invoicing and electronic project communications.

Furthermore, the business threat is amplified by the tactical attempts to fabricate administrative legitimacy. The Respondent registered the domain under a deceptive shell designation, "kimlery-horn llc," utilizing a proxy privacy service and the physical address of a Mississippi law firm with which they had no legitimate association. This deliberate strategy of corporate mimicry complicates internal brand protection efforts, as actors attempt to justify bad-faith registration under the guise of business entities. Brand protection professionals must treat domains with active MX records as imminent threat vectors, regardless of whether the domain’s public-facing web interface remains a seemingly benign parking page.

Strategic Integration of Technical MX Record Audits and Deceptive Entity Exposure

The Complainant’s strategy succeeded by combining clear evidence of typosquatting with technical proof of active mail exchange (MX) record configurations. Rather than relying solely on the visual similarity of the keyboard-adjacent typo ‘kimlery-horn.com’ (replacing ‘ey’ with ‘ery’), the Complainant presented concrete evidence that the domain was actively configured to route emails. By documenting that the Respondent used these MX records to masquerade as legitimate corporate employees and target an active client in a business email compromise (BEC) scheme, the Complainant established an irrefutable case of bad faith registration and use under the UDRP.

Furthermore, the Complainant successfully dismantled the Respondent’s attempt to fabricate rights or legitimate interests through a shell entity registration. The Respondent had registered the domain under the name ‘Jon Baxter, kimlery-horn llc’ using a Mississippi law firm’s physical address. The Complainant exposed this setup as a bad faith masquerade, demonstrating that the newly formed LLC and the false contact details were created solely to facilitate fraud. Acting swiftly by filing the dispute on December 19, 2025—just over two months after the October registration—allowed the Complainant to rapidly neutralize the active phishing threat and prevent further deceptive communication with its client base.

Practical Recommendations

  • Implement proactive domain monitoring that alerts security teams not only to look-alike registrations but specifically to the activation of MX (mail exchange) records on those domains, as active MX records are key indicators of impending business email compromise (BEC) attacks.
  • Act swiftly to initiate UDRP proceedings (e.g., within weeks of discovery) when active client-targeted phishing or corporate impersonation is detected, using the rapid filing to neutralize the deceptive domain and mitigate financial and reputational fallout.
  • When confronting respondents who use shell companies (e.g., ‘kimlery-horn llc’) to feign legitimacy, verify and challenge their corporate details—such as highlighting fake addresses or law firm locations—to successfully dismantle their claims of ‘rights or legitimate interests’ before the WIPO panel.
  • Document and present comprehensive evidence of actual deceptive use, including forensic details of email impersonation schemes or outreach to clients, to decisively establish both bad faith registration and use under the UDRP even if the domain currently resolves to a parked page.

Frequently Asked Questions (FAQ)

Why was the domain name ‘kimlery-horn.com’ considered confusingly similar to the Kimley-Horn brand?

The WIPO panel determined that ‘kimlery-horn.com’ uses an intentional ‘keyboard-adjacent’ typo, replacing the ‘ey’ in Kimley with ‘ery’. Because ‘e’ and ‘r’ are located next to each other on a standard keyboard, the panel found this misspelling was a calculated effort to deceive users of the legitimate KIMLEY-HORN mark.

How did the respondent attempt to establish fake legitimacy for the domain?

The respondent registered a shell entity named ‘kimlery-horn llc’ and utilized a law firm’s address to provide a veneer of business legitimacy. The panel rejected this as a bona fide right, finding it was a deceptive tactic solely used to facilitate an attempted business email compromise (BEC) attack against the complainant’s clients.

What evidence proved the respondent acted in bad faith?

Bad faith was confirmed by the configuration of active MX email records, which allowed the respondent to intercept and spoof internal communications as if they were legitimate Kimley-Horn employees. Further evidence included the use of a privacy proxy service to conceal identity and the provision of false contact information.

What is the primary lesson from this case regarding business email compromise (BEC) threats?

This case highlights the critical importance of monitoring for typosquatted domains that include active mail server (MX) configurations. The panel’s decision to order a transfer emphasizes that rapid UDRP action can effectively neutralize an impersonation campaign before it causes financial or reputational damage to the firm’s clients.

Detecting Look-Alike Domains Before They Become BEC Threats

This case highlights how typosquatted domains—like the one used in the Kimley-Horn BEC attempt—often harbor hidden MX records for email interception. Proactive identification of these look-alikes is critical to stopping impersonation before it reaches your clients.

Start domain recovery

Contact us
We will find the best solution for your business

    Thank you for your request!
    We will contact you within 5 hours!
    Image
    This site uses cookies to improve your experience. By continuing, you agree to our Privacy Policy.

    Privacy settings

    When you visit websites, they may store or retrieve data in your browser. This storage is often required for basic website functionality. Storage may be used for marketing, analytics and site personalization purposes, such as storing your preferences. Privacy is important to us, so you can disable certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may affect the performance of the website.

    Manage settings


    Necessary

    Always active

    These cookies are necessary for the website to function and cannot be disabled in our systems. They are usually only set in response to actions you take that constitute a request for services, such as adjusting your privacy settings, logging in, or filling out forms. You can set your browser to block these cookies or notify you about them, but some parts of the site will not work. These cookies do not store any personal information.

    Marketing

    These elements are used to show you advertising that is more relevant to you and your interests. They can also be used to limit the number of ad views and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the permission of the site operator.

    Personalization

    These elements allow the website to remember your choices (such as your username, language or region you are in) and provide enhanced, more personalized features. For example, a website may provide you with local weather forecasts or traffic news by storing data about your current location.

    Analytics

    These elements help the website operator understand how their website works, how visitors interact with the site and whether there may be technical problems. This type of storage usually does not collect information that identifies the visitor.